What a way to start the year! The now-well-known WMF vulnerability, which allows an infected
image to silently take over your PC, was first publicized just before New Year’s
Eve. It resulted in a frantic week for Microsoft and millions of Windows
users who wanted to protect themselves.
I considered the risk of infection from hacked Windows metafiles (.wmf
files) to be so dire that I published an unprecedented
two news updates in the same week. (In the past 12 months, I’d felt the need to
release only 5 news updates.)
Microsoft released on Jan. 5 an emergency patch, named MS06-001, which corrects
Windows’ so-called WMF (Windows metafile) vulnerability. A WMF exploit can silently infect
a PC when it merely displays an image in any browser, instant
messaging, P2P, e-mail, or in a directory listing in Windows Explorer; when
desktop-search applications index an infected image file; and in other ways.
I published a special
news update earlier
in the week urging readers to install an unofficial patch for this problem. This
workaround was also strongly recommended F-Secure, the SANS Institute’s Internet Storm
Center (ISC), and several other security sites.
A weakness in the way Windows renders images is being
exploited on the Internet and affects any browser you may be using, not just
Microsoft has no patch for the problem at this writing. An official patch may
appear at any time, or it may take days or weeks. I recommend that you
immediately run a small,
unofficial patch that was developed white-hat security researchers to make
your PCs immune to the problem.
I’ve spent most of this year — I’m tempted to say “wasted most of this year”
— writing about Windows security holes, patches, patches of patches, threats,
and vulnerabilities, both real and imagined.
Reviewers of computer products often exhibit maddening differences in their
ratings of identical sets of items. But when several unrelated reviewers all
pick the same product as Editors’ Choice, you can be sure you’ve found a real
I’ve always found it hard to locate trustworthy ratings of Windows products
using search engines. Now you don’t have to wade through page after page of
e-tailers’ listings — I’ve scoured every available published test to pick the
best for my first Gear of the Year awards.
No doubt you’ve read about Microsoft’s new Outlook antiphishing software, built into
the recent Office 2003 Service Pack 2. Some of the media coverage I’ve seen
sounds like it was copied, verbatim, from the company’s press releases.
The last few years, I’ve found myself doing quality-assurance work
for a vendor that sells software to large enterprise customers. That means,
among other things, that I’m responsible for checking the updates and patches that go out
to those customers.
Things are moving so quickly in the world of spyware that the major computer
magazines should really retest all antispyware applications every three months
or so. Fortunately, three new reviews have come out just in the past
week to give us fresh results.
Burned users howled when they ran into problems with the new, 6.0 version of
ZoneAlarm Pro and ZoneAlarm Security Suite last month — but the makers of
the award-winning software have now released an update
that they say corrects the errors.